SCA (Software Composition Analysis)

Software Composition Analysis scans your dependencies — both direct and transitive — against vulnerability databases to flag known CVEs.

Definition

Software Composition Analysis (SCA) is the family of tools that scan a project's dependency graph for known vulnerabilities. Inputs are package manifests (`package.json`, `Gemfile.lock`, `requirements.txt`, `go.sum`, `pom.xml`) or SBOM artefacts; the tool resolves the full transitive graph and looks each component up against vulnerability databases (NVD, GitHub Advisory Database, OSV.dev, vendor feeds).

SCA is distinct from SAST (analysis of your own source code) and from DAST (analysis of the running application). Each catches a different bug class; mature programs run all three.

Mitigation

Not applicable.

See also

References